Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

HQC Post-Quantum Cryptography Decryption with Generalized Minimum-Distance Reed-Solomon Decoder

Jiaxuan Cai, Xinmiao Zhang

Abstract

Hamming Quasi-Cyclic (HQC) was chosen for the latest post-quantum cryptography standardization. A concatenated Reed-Muller (RM) and Reed-Solomon (RS) code is decoded during the HQC decryption. Soft-decision RS decoders achieve better error-correcting performance than hard-decision decoders and accordingly shorten the required codeword and key lengths. However, the only soft-decision decoder for HQC in prior works is an erasure-only decoder, which has limited coding gain. This paper analyzes other hardware-friendly soft-decision RS decoders and discovers that the generalized minimum-distance (GMD) decoder can better utilize the soft information available in HQC. Extending the Agrawal-Vardy bound for the scenario of HQC, it was found that the RS codeword length for HQC-128 can be reduced from 46 to 36. This paper also proposes efficient GMD decoder hardware architectures optimized for the short and low-rate RS codes used in HQC. The HQC-128 decryption utilizing the proposed GMD decoder achieves 20% and 15% reductions on the latency and area, respectively, compared to the decryption with hard-decision decoders.

HQC Post-Quantum Cryptography Decryption with Generalized Minimum-Distance Reed-Solomon Decoder

Abstract

Hamming Quasi-Cyclic (HQC) was chosen for the latest post-quantum cryptography standardization. A concatenated Reed-Muller (RM) and Reed-Solomon (RS) code is decoded during the HQC decryption. Soft-decision RS decoders achieve better error-correcting performance than hard-decision decoders and accordingly shorten the required codeword and key lengths. However, the only soft-decision decoder for HQC in prior works is an erasure-only decoder, which has limited coding gain. This paper analyzes other hardware-friendly soft-decision RS decoders and discovers that the generalized minimum-distance (GMD) decoder can better utilize the soft information available in HQC. Extending the Agrawal-Vardy bound for the scenario of HQC, it was found that the RS codeword length for HQC-128 can be reduced from 46 to 36. This paper also proposes efficient GMD decoder hardware architectures optimized for the short and low-rate RS codes used in HQC. The HQC-128 decryption utilizing the proposed GMD decoder achieves 20% and 15% reductions on the latency and area, respectively, compared to the decryption with hard-decision decoders.
Paper Structure (6 sections, 2 equations, 4 figures, 3 tables, 1 algorithm)

This paper contains 6 sections, 2 equations, 4 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. GMD RS Decoding for HQC
  4. Upper Bound of GMD DFR for HQC
  5. Hardware Architectures and Comparisons
  6. Conclusions

Figures (4)

  • Figure 1: DFRs of the concatenated RM $(128, 8)$ and RS $(n_{RS}, 16)$ code for HQC-128.
  • Figure 2: Block diagram of the one-pass GMD RS decoder.
  • Figure 3: Implementation architectures for GMD erasure addition: (a) polynomial evaluation, (b) polynomial updating.
  • Figure 4: Computation scheduling of the proposed erasure addition and polynomial selection.